peter/ukaiautomation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CSRF token handling: add session to index.php, fix cookie_secure for HTTPS

Browse Source
This commit is contained in:
root
2026-02-03 20:51:45 +00:00
parent 72c9b4e9b4
commit 165c418c75
4 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
contact-handler.php
View File

@@ -1,5 +1,8 @@
<?php <?php
// Enhanced Contact Form Handler with Security // Enhanced Contact Form Handler with Security
ini_set('session.cookie_samesite', 'Lax');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_secure', '1');
session_start(); session_start();
// Form handler restored - temporary fix removed // Form handler restored - temporary fix removed

11
index.php
View File

@@ -1,5 +1,13 @@
<?php <?php
// Enhanced security headers // Enhanced security headers
// Session for CSRF token
ini_set('session.cookie_samesite', 'Lax');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_secure', '1');
session_start();
if (!isset($_SESSION['csrf_token'])) {
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}
header('X-Content-Type-Options: nosniff'); header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY'); header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block'); header('X-XSS-Protection: 1; mode=block');
@@ -1105,7 +1113,8 @@ $twitter_card_image = "https://ukdataservices.co.uk/assets/images/ukds-main-logo
</div> </div>
<div class="contact-form"> <div class="contact-form">
<form action="contact-handler.php" method="POST" class="form" novalidate> <form action="contact-handler.php" method="POST" class="form" novalidate>
<input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
<div class="form-group"> <div class="form-group">
<label for="name">Contact Name *</label> <label for="name">Contact Name *</label>
<input type="text" id="name" name="name" required aria-required="true" aria-describedby="name-error" autocomplete="name"> <input type="text" id="name" name="name" required aria-required="true" aria-describedby="name-error" autocomplete="name">

2
quote-handler.php
View File

@@ -3,7 +3,7 @@
// Ensure session cookie is available for AJAX requests // Ensure session cookie is available for AJAX requests
ini_set('session.cookie_samesite', 'Lax'); ini_set('session.cookie_samesite', 'Lax');
ini_set('session.cookie_httponly', '1'); ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_secure', '0'); // Set to '1' if using HTTPS ini_set('session.cookie_secure', '1'); // Set to '1' if using HTTPS
session_start(); session_start();
// Security headers // Security headers

2
quote.php
View File

@@ -2,7 +2,7 @@
// Start session before any output // Start session before any output
ini_set('session.cookie_samesite', 'Lax'); ini_set('session.cookie_samesite', 'Lax');
ini_set('session.cookie_httponly', '1'); ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_secure', '0'); // Set to '1' if using HTTPS ini_set('session.cookie_secure', '1'); // Set to '1' if using HTTPS
session_start(); session_start();
// Enhanced security headers // Enhanced security headers